2025-09-15 –, Main Room
Detection engineering in the cloud is often hobbled by poor telemetry documentation and vague, static log-to-MITRE mappings. In this talk, we will share Cloudots - a research system that shifts this paradigm by empirically constructing and maintaining a technical knowledge layer over cloud telemetry.
Cloudots runs autonomous AI agents to simulate adversarial scenarios on AWS, Azure, and GCP. Our agents take high-level objectives like “exfiltrate data” or “achieve persistence via IAM abuse,” and break them down into low-level API call graphs through goal-oriented planning and domain specific introspection. Each simulation executes within sandbox cloud accounts, utilizing actual APIs (no mocks) gathering full telemetry, timing behavior, and resource transitions. Afterwards, the system observes which telemetries are actually being triggered and are relevant to detect the attack.
The result is a structured, queryable knowledgebase that maps specific log entries (CloudTrail, VPC Flow Logs, GCP Audit Logs, etc.) to MITRE tactics and techniques, with context on signal fidelity, timing, and trigger conditions. In addition to that, we wrapped this knowledgebase with an MCP and then built a chat interface so analysts can ask cloud security questions in natural language, and the results are relevant and backed by the Cloudots knowledgebase.
In this session, we’ll share architecture lessons, failure modes, signal insights across platforms, and practical use cases like coverage validation and detection prioritization. We are hoping to make the audience and cloud security community rethink how we can leverage AI to empower cloud defenders, because attackers are already using it to their advantage.
Itay Gabbay is the CTO and co-founder of Brava Security, where he leads the company vision around cloud-scale telemetry, SIEM efficiency, and security signal architecture. Before Brava, he served as VP of R&D at several companies, focusing on building intelligent systems and AI agents capable of reasoning and operating autonomously in complex environments. Earlier in his career, he led cloud security efforts for the IDF, overseeing the protection and monitoring of mission-critical workloads in its private cloud.
Amir Zak is the Security Research Lead at Brava Security, where he drives cutting-edge research focused on advancing cloud security.
A veteran of the IDF elite intelligence corps, Amir brings over a decade of hands-on security research experience spanning IoT security, network security, operating systems, and large-scale cloud environments.
With a career rooted in tackling complex security challenges across diverse technological domains, Amir has developed a deep expertise in analyzing threats, designing robust defense strategies, and uncovering vulnerabilities in modern infrastructures. His work has consistently contributed to strengthening organizational security posture and shaping industry best practices.
In addition to his role as Security Research Lead, Amir also serves as Brava Security’s AI Lead. In this capacity, he focuses on integrating advanced AI and LLM techniques into security research and product innovation, pushing the boundaries of automated detection and intelligent defense mechanisms.
Amir's unique combination of military intelligence training, broad technical expertise, and visionary leadership in both security and AI positions him at the forefront of modern cybersecurity research.